Brazilian Government Site Serves Up Phishing Kit

The third time may not necessarily be a charm for Brazilian government website, Prefeitura Municipal de Esperança, as it was reported to be a victim of yet another compromise. This was said to be the third time in a span of two months that the government site has taken a beating from cybercriminals and used it to play accomplice to cybercriminal activities. Other reported attacks have led the site to host malicious content designed to be used in a series of phishing attacks. In one instance, an attack also used the site to host drive-by malware that can be installed in an unknowing victim’s system.

The most recent attack reported last week makes use of a phishing kit that is capable of stealing webmail credentials. While the kit has different variations, the phishing page displays the same error message on the user’s screen, even after correct credentials are keyed in. These are then sent to cybercriminal remotely. Commonly targeted by online crooks, email credentials are often used to compromise other accounts associated with it across different platforms and channels.

Last December, the first in the series of attacks was carried out using content that rendered the site vulnerable, thus hosting a phishing attack directed at customers of Wells Fargo bank. Though the injected malicious content was removed, the site was once again targeted in January by another phishing scheme that was aimed at PayPal customers. The latter scheme not only stole PayPal credentials and banking information, but also tried to inject drive-by malware using hidden iframes.

With the recurrence of compromise on the mentioned site, security and cyber intelligence officials deem that the website contains a gaping security hole that still remains unpatched. This made it easy for attackers to remotely upload content to the web server.

Other researchers opine that the slew of attacks on the site could be attributed to the vulnerable version of WordPress (4.0.9) it uses to host and manage content. WordPress, in a separate advisory, notes that versions lower than its latest release (4.4.1) is unmaintained and is not advisable to use. It was also noted that the site’s use of a shared hosting platform could be also be a factor. Over 70 websites are utilizing the same IP address that Prefeitura Municipal de Esperança uses. It follows that any vulnerability that exists in any of the other non-government sites could be instrumental to staging an attack to the government site.

2019 SECURITY PREDICTIONS

Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape.View the 2019 Security Predictions